BradReese.Com Cisco vs. ZTE Price Quote Comparisons

Home About Repair Power Supplies Refurbished Blog Quick Links Site Map Contact Us

Mike Patterson speaks out
Learn more about Mike Patterson...


Power Supplies

VoIP Gateways

Cisco Repair

Refurbished Cisco

Cisco CPQRGs

New Cisco

New HP ProCurve

Cisco Tools

Competitive Lab Tests

Tech Forums

How-to Tutorials

CCIE Gossip


View the archive of Mike Patterson speaks out

Subscribe to Bloggers speak out on BradReese.Com

The unique NSEL elements of the Cisco ASA firewall

Only a few vendors realize that the ASA exports Network Address Translation (NAT) details.

Wed, 6/27/12 - 11:59pm    View comments

Plixer InternationalCisco Developer RegisteredIt's time I posted something about Cisco ASA NSEL NetFlow reporting since Plixer's NetFlow Analyzer is one of the only flow analysis technologies that can currently report on the non-traditional elements such as username, NAT, ACLs, etc.

It's important to understand that the ASA was not initially intended to export NetFlow. For years syslog was the preferred mechanism of exporting firewall logs. Overtime, Cisco engineers came to realize that NetFlow exports were more efficient for the firewall as well as the received log aggregation technology. In addition, pressure came from the customer base for a NetFlow export and now we have it!

This post is not about the traditional NetFlow reporting you can do on the NetFlow exported by the Cisco ASA, we'll focus on the unique NSEL elements that most other vendors aren't even looking at. Only a few vendors realize that the ASA exports Network Address Translation (NAT) details:


NAT details can be invaluable for tracking down problems that originate from within the internal network. The ASA's NSEL NAT templates allow the network or security analyst to "see around" the NAT, saving time and hastening the process of problem resolution.

And similar to syslogs, it also exports NSEL messages in NetFlow that detail the ACLs being violated and the Events and Extended Events being impacted.


These new reports can be used for firewall rule planning or for verifying that existing rules are blocking traffic from a specific host or application. They can also be used to find out what ACL is blocking traffic that the company needs to get through.

In short, the ASA's NSEL exports help reduce finger pointing by eliminating the firewall as a problem or if there is an issue with a rule or NAT policy, NSEL reduces the time required to fix the issue.

And the great thing is that NSEL is already available in your ASA. All you need to benefit is a NetFlow collector capable of making use of the NSEL information.

Being that it was the first firewall to support NetFlow, the export does suffer from a few short comings such as no active timeout for long lived flows, no TCP flags, non standard bidirectional NetFlow and a few other issues that are not a huge problem for most NetFlow fans. Besides, I may have heard a rumor that these issues or most of the issues in the NetFlow export are fixed in an upcoming 2012 release. Stay tuned...

Reach out to my team if you are interested in gaining access to reports like the above or if you have questions on the ASA NetFlow configuration.

View more Cisco How-To Tutorials.

Related stories:

Cisco ASA NSEL (Network Security Event Logs) Reporting Tutorial

Cisco ASA 5520 DIMM slot issue appears to be a manufacturing defect

Did Cisco dump the ASA 5580 because of its HP heritage?

Plixer offers free tool that brings Netflow analysis to Cisco ASA firewall

How to configure access lists in the Cisco ASA with multiple contexts to allow DHCP

AT&T managed firewall service has new Cisco ASA option available

ASA 5510 appears to cause cooling problem in APC rack

Mike Patterson's other blog stories:

Dell solves complex business problems

Enterasys Secure Networks

Mike Patterson speaks out

Systrax High-Impact Network Monitoring

TMCnet Advanced NetFlow Traffic Analysis

Join the NetFlow Developments Group on LinkedIn

What's your take?

Subscribe to Bloggers speak out on BradReese.Com

Favorite Blog Story Picks

  1. Brilliant appointment of Padmasree Warrior as Cisco's new chief strategy officer
  2. Rumor that Cisco SVP and top collaboration executive, Barry O'Sullivan, will be leaving soon
  3. Cloud networking comparison: Arista Networks' Douglas Gourlay vs. Cisco's Padmasree Warrior
  4. The technical details on Alcatel-Lucent's $40 million win over Cisco - Jean-Luc Ronarch
  5. SolarWinds Orion vs. Scrutinizer from Plixer - Mike Patterson
  6. The best Reese's Peanut Butter Cups video
  7. Pronouncements of John Chambers before discontinuance of the Cisco Cius tablet
  8. 100% of Cisco's $550 million in Q3'FY12 stock buybacks supported John Chambers' dilutive management compensation practices
  9. Alcatel-Lucent 7950 XRS pounds stake into Cisco's core router heart
  10. Did Cisco's new sales culture ripoff the State of West Virginia?
  11. For a fee, it appears Cisco's top executives will sign autographs and make an appearance
  12. Cisco ASA NSEL (Network Security Event Logs) Reporting Tutorial - Mike Patterson
  13. Cisco's Q3'FY12 data center revenue sequentially declined
  14. Silver Peak Systems appears to be the new culprit in Cisco's WAN optimization controllers (WOCs) market share loss
  15. How to report and track stolen Cisco equipment
  16. Cisco's Jabber for everyone offer FAQ
  17. Are Mario Mazzola, Prem Jain and Luca Cafiero killing Cisco's ability to innovate?
  18. Cisco's developing a next generation firewall (NGFW)
  19. Microsoft upgrading switches to Arista Networks
  20. View the archive of Bloggers speak out on BradReese.Com
blog comments powered by Disqus

CCIE available Metro DC

Supplement Cisco SMARTnet Contracts


©2013 BradReese.Com - Home - About - Repair - Power Supplies - Refurbished - Blog - Quick Links - Site Map - Contact Us